< ciso
brief />
Tag Banner

All news with #tool abuse tag

43 articles

Claude for Chrome click flaw lets other extensions act

🔒 Manifold Security found that Claude for Chrome still accepts synthetic clicks and can read permission mode from its URL, enabling other extensions with DOM access on claude.ai to trigger nine allowlisted tasks (including Gmail, Google Docs, and Calendar). Anthropic constrained arbitrary prompts after ClaudeBleed, but the click handler lacks an event.isTrusted check and the side panel honors ?skipPermissions=true, creating high-risk scenarios especially if "Act without asking" is enabled. Manifold reported this in May against v1.0.72; the issues remained in v1.0.80 as of July 7 and no patch or public advisory was available by July 14.
read more →

GhostApproval: AI coding assistants allow hidden writes

🔒 Wiz Research disclosed GhostApproval, a flaw in six AI coding assistants that allows symlink tricks to make approval prompts misrepresent targets. The vulnerability can let a repository write attacker-supplied keys or files to sensitive locations, potentially enabling passwordless remote access or remote code execution. Amazon, Google and Cursor have patched the issue; Augment and Windsurf have yet to fix it, while Anthropic disputes that its behavior is a vulnerability. Wiz recommends resolving symlinks before approval and flagging writes outside the project.
read more →

HalluSquatting: New AI supply-chain attack risks

🛡️ New research describes "HalluSquatting," an attack that exploits AI assistants' habit of inventing resource names. Attackers register those predictable fake names on marketplaces and plant adversarial instructions; when an assistant hallucinate-fetches the same name, it may run the attacker's commands. The technique abuses auto-run modes and agent tools that fetch and execute external code, permitting widespread compromise without traditional malware or exploits.
read more →

SkillCloak research shows scanners can be bypassed

🛡️ Researchers at the Hong Kong University of Science and Technology show that simple file-level transformations and packing tricks can let malicious AI coding agent "skills" evade existing static scanners while still executing normally. Their tool, SKILLCLOAK, fooled multiple marketplace scanners over 80–99% of the time, while a runtime sandbox, SKILLDETONATE, detected most evasions at the cost of slower analysis. The study highlights active real-world abuse, practical mitigation ideas, and the need to move trust decisions to behavior observed at execution time.
read more →

BioShocking prompt attack tricks AI browsers

🧩 Researchers at LayerX demonstrated a prompt injection called BioShocking that trains AI-powered browsers to treat risky real-world actions as fictional, bypassing safety controls. The PoC used a themed puzzle game to reward 'wrong' behavior and culminated in instructing agents to copy sensitive data from a GitHub repo. Six mainstream agentic browsers were tested; only one vendor implemented a working fix after disclosure. LayerX recommends explicit user confirmations, stricter context checks, and session scope limits.
read more →

Microsoft Warns of Poisoned MCP Tool Risk

🛡️ New Microsoft research shows attackers can hijack AI agents by poisoning a tool's description so the agent quietly exfiltrates company data. The attack leverages MCP tool descriptions—plain text that agents read—to inject hidden instructions, allowing malicious actions without obvious rule violations. Microsoft recommends treating tool descriptions as system prompts, restricting approved tools, enforcing human approval for risky actions, and monitoring agent identities and behavior.
read more →

Securing AI agents as tools shift from read to act

🛡️ This Microsoft Incident Response post examines an attack pattern targeting Model Context Protocol (MCP) tools, where poisoned tool metadata causes agentic AI to perform unauthorized actions. It outlines a playbook for detecting, containing, and preventing these attacks using Microsoft security controls and maps techniques to the OWASP Top 10 for Agentic Applications. The guidance emphasizes treating MCP servers as supply-chain dependencies, reviewing tool descriptions as prompts, and applying least agency controls.
read more →

Malicious AI agent skill bypasses security checks

🛡️ A faux AI agent skill called brand-landingpage bypassed static security scanners and reached over 26,000 users via an Instagram ad, highlighting risks as enterprises adopt AI-driven tools. The skill pointed agents to a fake Stitch SDK hosted on a domain controlled by researchers, which initially redirected to the real Google Stitch site to pass review. After distribution, the researchers changed the hosted content to instruct agents to download a script that collected email addresses, demonstrating how mutable external resources let malicious behaviors slip past static reviews. Security vendors and scanners from Cisco, Nvidia, and skills.sh marked the skill safe during testing.
read more →

Fake AI Agent Skill Bypasses Security Checks

🛡️ A security firm, AIR, created a benign but deceptive AI agent skill named brand-landingpage, pushed it through a major skill marketplace and promoted it with an Instagram ad, and reports it reached roughly 26,000 agents including corporate accounts. Scanners from vendors like Cisco and NVIDIA marked the package safe because the skill pointed to external setup documentation rather than embedding malicious code. AIR later swapped the external page to deliver a harmless payload that collected email addresses, demonstrating how scanners miss links that can be rewritten after review. The experiment highlights structural trust problems with skills and common mitigations such as pinning versions and vetting external references.
read more →

Runtime signals to detect compromised AI agents

🛡️ In response to widespread prompt-injection risks, the article outlines runtime signals to detect compromised AI agents that possess the so-called lethal trifecta: access to private data, ingestion of untrusted content, and external communication ability. It argues that this trifecta is now the default for useful agents, so defenses must shift from architecture rules to behavioral, runtime detection. Recommended signals include instruction-following anomalies, unexpected tool-call sequences, low-bandwidth exfiltration channels, out-of-scope credential access, and suspicious memory writes.
read more →

Behavioral Integrity Risks in AI Agent Skills

🔎 AI agent skills can install third-party capabilities with privileged access, yet registries lack automated audits. Palo Alto Networks introduces Behavioral Integrity Verification (BIV), which compares declared metadata, executable code and natural-language instructions to detect mismatches. Applied to the OpenClaw registry, BIV found widespread deviations and identified multi-stage attack chains that enable credential theft, RCE and exfiltration. The report recommends inventorying skills and requiring pre-install behavioral checks.
read more →

Agentjacking: AI coding agents hijacked via Sentry flaw

🛡️ Researchers describe a new "agentjacking" attack that tricks AI coding agents into executing arbitrary code by injecting malicious instructions into Sentry error events. Tenet Security says the flaw leverages Sentry DSNs — public, write-only credentials — to post crafted markdown that appears as legitimate remediation guidance. Agents retrieving unresolved errors via MCP render the injected content as trusted and may execute the embedded commands with developer privileges. The report confirmed high exploitability across popular agents and thousands of exposed DSNs.
read more →

Securing AI Agents as Enterprise Workforce

🛡️ An enterprise sales team built an AI agent to manage renewals; the agent reads emails, queries CRM data, drafts responses, and updates records. This workflow combines private data, untrusted input, and external communication, changing the security model. Traditional controls like IAM and DLP still matter but are insufficient alone. Runtime, context-aware controls that inspect prompts, outputs, and tool calls are required to prevent prompt injection, data exfiltration, and unsafe actions.
read more →

AI-built ransomware toolkit automates EDR evasion

🛡️ A threat actor used an AI-assisted ransomware toolkit to automate Active Directory discovery and iterate EDR evasion techniques. Researchers found Cursor and Claude Opus agents used for coding, analysis, testing, and checking public research for bypass methods, with some malware tested against Sophos, CrowdStrike, and Microsoft EDR products. Sophos determined the workflow was human-directed, while AI accelerated development, producing numerous payload modules and mapping techniques to MITRE ATT&CK.
read more →

Claude in Chrome vulnerability lets other extensions hijack

⚠️ Researchers at LayerX Security disclosed a flaw dubbed ClaudeBleed in Anthropic’s Claude in Chrome extension that lets other extensions inject scripts and commandeer the assistant. The issue stems from an exposed messaging interface that trusts origins instead of execution context, enabling zero-permission extensions to issue prompts and perform cross-site actions. Anthropic released a partial patch (v1.0.70) on May 6; LayerX urges stronger mitigations.
read more →

Cursor extension flaw exposes local API credentials

🔒 A high-severity vulnerability in the AI-powered development tool Cursor allows installed extensions to read sensitive credentials stored locally, researchers at LayerX report. The issue stems from Cursor keeping API keys, session tokens and cached configuration in an unprotected SQLite database rather than using OS keychains or encryption, and it does not restrict extension access. LayerX assigned the flaw a CVSS score of 8.2 and demonstrated silent exfiltration without user prompts. Cursor acknowledged the notice but said trust boundaries are the user's responsibility; as of 28 April 2026 the vulnerability remains unresolved.
read more →

MCP STDIO Design Choice Enables Widespread RCE Risk

⚠️ Researchers at OX Security warn that a design decision in Anthropic’s reference Model Context Protocol (MCP) STDIO implementation may permit remote code execution (RCE) when client applications start local MCP servers without proper command filtering. The flaw stems from SDKs accepting arbitrary STDIO commands as subprocess arguments, which many adapters and tools inherit. Anthropic and other framework maintainers say this behavior is by design and that application developers must sanitize inputs, but OX found few effective defenses and demonstrated RCE across numerous projects and services.
read more →

How Attackers Abuse AI Services to Breach Enterprises

⚠️ Attackers are increasingly abusing enterprise AI services—poisoning connectors, impersonating Model Context Protocol (MCP) servers, and using platforms as covert C2 channels—to exfiltrate sensitive data and hide malicious traffic. Notable incidents include a counterfeit MCP package siphoning transactional emails, the SesameOp backdoor tunneling commands through the OpenAI Assistants API, and command-injection flaws in Microsoft Copilot and OpenClaw that enabled agent hijacking. Threat actors also automate espionage with Claude Code and assemble modular black‑hat stacks like Xanthorox and Hexstrike. Security teams should treat AI assistants like privileged users, enforce governance, and harden supply-chain and connector integrity.
read more →

Agentic Era: How AI Is Reshaping the Cyber Threat Landscape

🤖 Between January and February 2026, AI-assisted malware development matured from experimentation into operational capabilities that materially change attack economics. What once required coordinated teams can now be executed by a single experienced developer using an AI-powered IDE, accelerating weaponization, iteration, and delivery of attacks. Enterprise productivity and development tools have become enlarged attack surfaces, while automation and agentic workflows enable faster, more evasive intrusion chains. Defenders must shift toward behavior-based detection, robust telemetry, and secure development and supply chain controls.
read more →

Open-source AI Attack Kit CyberStrikeAI Raises Alarms

⚠️ CyberStrikeAI is an open-source, AI-native attack orchestration platform that consolidates end-to-end offensive tooling and automation into a single repository. According to Team Cymru, the project ships with more than 100 curated tools, native Model Context Protocol (MCP) integration, role-based testing, a skills system and mobile chatbots, and has been linked to a developer with alleged ties to Chinese state-affiliated firms. Researchers warn the platform dramatically lowers the technical barrier for attackers and could accelerate AI-augmented exploitation against edge devices and appliances.
read more →